As I continue this learning vein on “cyber security” (I’m calling it cysec), the issue of home network security has come up several times. I think most people believe their home network and their computer is completely protected from Internet-based attacks.
That is probably, mostly-true – but on the other hand, there are a LOT of exploits for home routers.
So, if you have an old router, or don’t update the firmware, it’s likely that it’s vulnerable to attack.
Who cares? And/or who would target lil’ old me?
Well, the idea is that you generally want many layers of security. This is commonly-referred to as “defense in depth”. You’d have a secure router; but if they get past that, then your computers are securely-configured. If they can past that, then you have some sort of anti-virus or malware protection, etc. So, the “why” of why you should care, is because private data on your network could be vulnerable. This means:
- Access to account numbers – which can be used for credit card fraud
- Access to personal information – which can be used for identity theft
- Access to your e-mail account – which can be used to hijack/reset ALL of your credit/bank account passwords
- Leaves you vulnerable to “ransomware”
This leads to the traditional opinion of “no one would bother to target little old me!” Maybe that is true. However, there are also thousands of hackers throwing out a dragnet, looking for any vulnerable systems – and they might just stumble across you. It’s nothing personal, but you’d be targeted simply because your data was available!
Of all of the things above, the one that should be most concerning to most people is ransomware. This is where the attacker finds all of your data, encrypts it, and demands you pay them within a certain time. If you do, you get the decryption key. If you don’t, they destroy the decryption key. The primary target for this kind of attack is: anyone who has available data.
The more active, destructive, but riskier item in the list is getting access to your e-mail. With your e-mail account, the attacker can “reset my password” on every bank and credit card website. They can then run up charges, do a “balance transfer” or wire money from your account to theirs.
The point is – having your data available for the taking, is a bad thing – even for a regular computer user.
How safe is your home router?
To start, you need to figure out the make/model of the device. You should also log into the device via your web browser, and go to “firmware” page. Go to the manufacturer website and download the latest firmware, and update the firmware on your device. You should do this now – and do it on a regular basis!
Some routers, like the Arris for example, can’t be updated by the end-user. If you have an all-in-one router from your cable company, then you are likely out of luck. You can still determine if there are exploits for your device, but you won’t be able to patch them. For this, and a few other reasons – you should probably own your own cable modem, and router.
Once you have your router make/model, you can do three things:
- Check for known-vulnerabilities: Navigate to https://www.exploit-db.com/ and search for your model number. For example, remember the old LinkSys WRT54G that everyone used to have? Here are 9 exploits, or 9 ways to break into that router (although I assume a few of these may be fixed in a patch by now – but most people don’t patch/update the firmware on their router!)
- Search for other vulnerabilities: Do a Google search for your router model number and the word “exploit”. For example, a search for Buffalo WZR-HP-G3000NH2 exploit shows that this has a cross-site request forgery (CSRF) exploit that someone can set up.
- Test your router from the outside: Navigate to http://www.checkmyrouter.org/ and run the “port scan” and “UPNP bug” check. Specifically for UPNP, you can use Rapid7’s scanner too: http://upnp-check.rapid7.com/
In step 3, these websites do a few key things. First, the port scan checks to see if any TCP/IP ports are open on the outside of your router. Any open port could be used to break into your router, which then gives the attacker a platform from which to gain access to other devices on your network. So ideally, you should see that it shows NO open ports.
Next, what is this “UPNP”? It stands for Universal Plug-and-Play. It was a standard that has no security, and lets traffic traverse routers – even when there is a firewall in place! A common example is an IP camera or baby monitor. If that has UPNP turned on, you will often see port 80 on your router open, even though no web server is running on the router AND you have it blocked in the firewall. So, the port scan will show the router as having port 80 open and the UPNP check will check to see if any UPNP devices in your house are exposing themselves via your internet router. Make a point to log into any IP cameras and baby monitors and turn OFF any “UPNP” option.
The main point here is that this isn’t the olden days of the Internet. In the olden days, you actually had to DO something to get a virus or have your computer be compromised. The reason the attack was successful is because the end-user was fooled: “You idiot! You opened that e-mail attachment!”
Nowadays, and for a few years now, all that is gone. Now, you simply need to not-be current on your patches.
What’s the answer, then? Well, if you want a “pretty good”, secure computing environment at home, I’d recommend:
- Check your router, per this blog post.
- Set VERY good passwords for everything. Use a common “core” password, and the service name and year as a suffix, like passwordNF15 for Netflix, passwordWF15 for your Wells Fargo account.
- Set screensavers/lock screens on ALL of your devices with a good PIN.
- Use BitLocker or any whole-disk encryption for ALL hard drives including USB thumb drives and SD cards.
- These 5 steps (lock down your browser, use public DNS, use DuckDuckGo, and use a VPN service)
Doing these relatively simple things would leave you pretty secure from outside attackers. Plus, if you came home to a burglarized house – you would immediately be pretty confident that at least your data is safe. Well, safe from the casual or even advanced attacker. Being protected from governments or professional level hackers would require some additional steps – but these reasonable steps should be good enough for the things you’re likely to run into in your non-spy, non-high profile life!